Kazuar

Kazuar is a backdoor trojan used by the Turla APT group (also known as "Uroburos" and "Snake") and is written using the Microsoft .NET Framework, providing the threat actors with complete access to the compromised devices and the ability to remotely load plugins for additional capabilities. This trojan is a fully featured backdoor obfuscated using the open source packer ConfuserEx. Variations of Kazuar also target Mac and Linux operating systems. Its code is very organized and it uses different folders to store code for specific tasks. It communicates to C2 servers, most of which are hacked WordPress sites; exfiltrates data via HTTP, HTTPS, FTP, or FTPS; and executes shell commands on Windows via cmd.exe and on Linux via /bin/bash. Kazuar's C2 infrastructure allows the threat actors to ping the victim machine in order to send new instructions, allowing them to migrate C2 servers as well as bypass some security solutions that focus on outbound connections to suspicious domains.

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.